Personal Devices on a Corporate Network

When supporting personal devices on a corporate network, you must protect network services and enterprise data by authenticating and authorizing users and their devices. A Cisco ISE Advanced License provides the tools you need to allow employees to securely use personal devices on a corporate network.

Users have two ways of adding their personal devices to the network: using native supplicants or the My Devices portal. You can create native supplicant profiles so that when a user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network. Native supplicant profiles are not available for all devices, but users can use the My Devices portal to add those devices manually.

Personal Devices Portals

Self-Provisioning Portal

Employees access the Self-Provisioning portal when registering personal devices using native supplicants. The first time employees attempt to access the network using a personal device, they will be guided automatically through registering and installing the supplicant. After they have registered a device, they can use the My Devices portal to manage it.

My Devices Portal

Some network devices are not supported by native supplicants. If the operating system is not supported or if the devices do not have web browsers (such as printers, Internet radios, and other devices), these devices still need to access the network. To add these types of devices to your company's network, employees need to use the My Devices portal.

Employees can add and manage new devices by entering the MAC address for the device. When employees add devices using the My Devices portal, Cisco ISE adds the devices to the Endpoints page as members of the RegisteredDevices endpoint identity group. The devices are profiled like any other endpoint in Cisco ISE and go through a registration process for network access.

When employees register their devices using the My Devices portal or during native supplicant provisioning, the Device Registration Status and BYOD Registration Status attributes in Administration > Identity Management > Identities > Endpoints are updated from NotRegistered and Unknown to Registered and Yes respectively. When a registered device is deleted from the portal, the Device Registration Status and BYOD Registration Status attributes change to NotRegistered and No respectively. However, these attributes remain unchanged when a guest user (who is not an employee) registers their device using the guest device registration page, because these are BYOD attributes used only during employee device registration.

Regardless of whether or not employees register their devices using the native supplicant or the My Devices portal, all employees can use the My Devices portal to manage their personal devices.

Blacklist Portal

Employees can indicate whether they have lost a device, which adds it to the Blacklist endpoint identity group, which prevents others from using the device to obtain unauthorized network access. If users attempt to connect to the network using one of these devices, they are redirected to the Blacklist portal. If the device is found, employees can reinstate it and regain network access without having to register the device again.

You can configure the port settings (default is port 8444) for the Blacklist portal using the Admin portal. Employees do not access this portal directly.

Employee Accounts

When you add employees or contractors to Cisco ISE, you can authorize them to use personal devices on the network. Whether you have added them using external identity stores or created internal users, you can authorize them to use personal devices on your network.

Supporting Device Registration Using Native Supplicants

You can create native supplicant profiles to support personal devices on the Cisco ISE network. Based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.

The first time employees attempt to access the network using a personal device, they will be guided automatically through registration and supplicant configuration After they have registered the device, they can use the My Devices portal to manage their devices.

The self-provisioning flow enables employees to connect devices to the network directly using native supplicants, which are available for Windows, MacOS, iOS, and Android devices.

If you do not want to enable this feature, employees can still add personal devices using the My Devices portal. By default, this feature is disabled when upgrading and enabled when performing a fresh installation of Cisco ISE.

Supporting the My Devices Portal

Employees can use the My Devices portal to register and manage their personal devices. The My Devices portal includes online help that provides employees with assistance in using the portal. However, there are several things you need to do to prepare the portal before employees can access it.

Specifying the Identity Store Sequence Used for Employee Authentication

To allow an employee to log into the My Devices portal, you must specify an identity store sequence. This sequence is used with the login credentials of an employee to authenticate and authorize the employee for access to the My Devices portal. Cisco ISE includes a default identity store sequence for employees: MyDevices_Portal_Sequence.

Managing Personal Devices Added by Employees

When an employee registers a device using a native supplicant or adds a device to the My Devices portal, it displays in the Endpoints list. Although employees can disassociate a device from their account by deleting it, the device remains in the Cisco ISE database. As a result, employees might need your assistance in resolving errors they encounter when working with their devices.

Displaying Devices Added by an Employee

You can locate devices added by a specific employee using the Portal User field displayed on the Endpoints listing page. This might be useful if you need to delete any devices registered by a specific user. By default, this field does not display so you must enable it first before searching by it.

Registered Endpoints Report

The Registered Endpoints report provides information about the endpoints that are registered through the device registration portal. (For information on supplicant provisioning statistics and related data, see Viewing Client Provisioning Reports.)

You can query the endpoint database for endpoints that are assigned to the RegisteredDevices endpoint identity group. You can also generate reports for a specific user that have the PortalUser attribute set to a non-null value.

The Registered Endpoints Report provides information about a list of endpoints that are registered through the device registration portal by a specific user for a selected period of time.

Step 1 Log into your Cisco ISE user interface.

Step 2 Choose Operations > Reports > Catalog.

Step 3 In the Reports navigation pane, click My Devices.

Step 4 Choose Registered Endpoints.

Step 5 Click Run.

You can run a query on the following: Users, MAC address of a registered device, identity group, endpoint policy, and generate a report.

Errors When Adding Devices to My Devices Portal

Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.

If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.

If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.

Devices Deleted from My Devices Portal Remain in Endpoints Database

When an employee deletes a device from the My Devices portal, the device is removed from their list of registered devices, but the device remains in the Cisco ISE endpoints database and display in the RegisteredDevices endpoint identity group. You can permanently delete the device from the Endpoints page (Administration > Identity Management > Identities > Endpoints).

Deployment Scenarios for Personal Devices Using Native Supplicants

The deployment flows to support personal devices using native supplicants vary slightly based on these factors:

Single or dual SSID—With single SSID, the same WLAN is used for certificate enrollment, provisioning, and network access. In a dual SSID deployment, there are two SSIDs: one provides enrollment and provisioning and the other provides secure network access.

Windows, MacOS, iOS, or Android device—The native supplicant flow starts similarly regardless of device type by redirecting employees using a supported personal device to the Self-Provisioning portal to confirm their device information. At this point, the process diverges based on device type.

Employe Connects to Network

Single SSID—Employee connects the device to the 802.1x SSID by entering the corporate username and password.

Dual SSID—Employees connect to the open guest provisioning SSID, are redirected to the Guest portal, and enter theiruser credentials in the standard Guest portal.

Employee’s Credentials are Authenticated

Cisco ISE authenticates the user against the corporate Active Directory or other corporate identity stores and provides an authorization policy.

Device is Redirected to the Self-Provisioning Portal

The device is redirected to the Self-Provisioning portal. The device’s MAC address is automatically pre-configured, but employees can verify and add a description..

Native Supplicant is Configured (MacOS, Windows, iOS)

The native supplicant is configured; the process varies by device.

MacOS and Windows devices—user clicks on the Register button on the Self-Provisioning portal to download and install the supplicant provisioning wizard, which configures the supplicant and provides the certificate (if required).

iOS devices—the Cisco ISE policy server sends a new profile using Apple’s iOS over-the-air to the iPad, which includes:

– A Wi-Fi supplicant profile that enforces the use of MSCHAPv2 or EAP-TLS for 802.1X authentication.

Android devices—users are prompted to download the Cisco ISE prompts and routes employee to download the Cisco Network Setup Assistant from Google Play. After installing the app, the employee opens it, and starts the setup wizard, which generates authentication parameters and initiates a certificate request (if required) for device certification.

Change of Authorization Issued

Cisco ISE initiates a Change Of Authorization (CoA) and connects the MacOS X, Windows, and Android devices to the secure dot1x network. For single SSID, iOS devices also connect automatically, but for dual SSID, the wizard prompts iOS users to manually connect to the new network.